Unknown Files Blocking

A single infection at an endpoint can spread and affect other endpoints connected to the same network. Endpoints are considered to be the most vulnerable node in an enterprise network, which has made it the preferred target for cyber criminals. Hence, it is of paramount importance to ensure robust security for the endpoint.

The Most Effective Solution for Unknown Files Blocking - Comodo AEP

There are hundreds of endpoint protection solutions, and each promises to provide absolute protection. They cite numerous technologies such as
cloud antivirus, firewall, and host intrusion prevention systems (HIPS). However, none of them, except Comodo Advanced Endpoint Protection (AEP) provides security against "unknown files". Comodo AEP is the most effective solution for unknown files blocking. Endpoint protection solutions employ a centralized approach to protect all the devices connected to the enterprise network. Devices include - servers, workstations, laptops, tablets, mobile phones and IoT devices. Effective unknown files blocking must take place at these endpoints.

The Good, Bad and the Unknown

No, it is not a movie title. Endpoint protection solutions face three types of files – processes or executables (PE). These are the known bad files, the known good files, and the unknown files. Virus databases contain a huge library of malware definitions or virus definitions – this is called as
blacklisting. Worldwide, cyber security vendors analyze and maintain this library of bad files. Considering the huge number of malware and new malware versions being created every day, some vendors share this library as part of a cooperative effort. Comodo Threat Research Labs (CTRL) provides the largest library of known “bad” files, securing over 87 million Windows PC users. The blacklisting method provides the signatures to block known bad files.

Very few cyber security vendors maintain a library of "known good files" – these are files (PEs) from known “good” code producers. This process is called as
whitelisting and Comodo provides the most comprehensive library of all known “good” code producers.

The unknown files are those that are neither on the blacklist or the whitelist. In the traditional antivirus approach, all files other than the known bad files are allowed unfettered access to system files (with the belief that they are good files). Reality has proven that cyber criminals release modified versions of known existing malware, and these do not get detected through virus-definition-based protection. Softwares are available which allow even novices to create modified versions. Traditional approach fails to block this type of malware.

Failure of Some New Approaches

In order to overcome the shortfalls of this method, cyber security vendors have developed newer approaches such as more robust firewall, HIPS, machine learning, artificial intelligence, sandboxing, automated containment, and real-time behavioral analysis. Most new approaches follow a default allow endpoint security posture, which fails in the process of unknown files blocking.

Sandboxes are automated behavioral analysis tools that run unknown files in virtual environments to observe if their behavior is malicious. This method has demonstrated some benefits in unknown files detection and unknown files blocking. However, this process takes considerable time and the user will not be able to access the file until that period.

"Patient Zero" Infection: Some of these approaches allow the possibility of initial “patient zero” infection when the file is being studied in the sandbox. If the file is malicious, it can cause all the damage that it needs to do within this period. Ransomware, worms, viruses and other malware can cause all the damage within this window period.

Comodo AEP utilizes a default deny posture to block all files and run them in auto-containment. This is a sophisticated virtual environment that comprises a virtualization of COM interfaces, disk, registry, and memory. Some sophisticated malware can detect virtual environments and they stay dormant to thwart detection. Comodo’s auto-containment technology is not detectable as a virtual environment, and hence the malware carries out its malicious activity, which is observed by Comodo and the file is blocked.

Many vendors offer sandboxing, however malware detects the virtual environment. Most
endpoint security solutions focus on remediation and forensic details on the file. These solutions allow initial infection of the endpoint and then attempt to contain the infection or rollback to the non-infected state.

Comodo AEP with Secure Auto-Containment

In
Comodo AEP with Secure Auto-Containment, user productivity is sustained, while zero-day threats and advanced persistent threats are effectively blocked, making it the only cyber-security solution for successful unknown files blocking.